Free Practice Questions for GitHub GitHub-Advanced-Security Exam

To change the threshold that defines whether a pull request fails due to code scanning alerts (such as blocking merges based on severity), the user must haveAdminaccess on the repository. This is because modifying these settings falls under repository configuration privileges.

Users with Write, Maintain, or Triage roles do not have the required access to modify rulesets or status check policies.

In a workflow: GitHub Actions workflows are the most common place for CodeQL code scanning. The codeql-analysis.yml defines how the analysis runs and when it triggers.

In an external CI system: GitHub allows you to run CodeQL analysis outside of GitHub Actions. Once complete, the results can be uploaded using the upload-sarif action to make alerts visible in the repository.

You cannot run or trigger analysis from third-party repositories directly, and theFiles changed tabin pull requests only shows diff — not analysis results.

By default,users with Write, Maintain, or Admin permissionswill receive notifications for newDependabot alerts. However,Write permissionis theminimum levelneeded to be automatically notified. Users with only Read access do not receive alerts unless added explicitly.

The GitHub Code Scanning API includes endpoints that allow you to:

List alertsfor a repository (filtered by branch, state, or tool) — useful for monitoring security over time.

Get a single alertby its ID to inspect its metadata, status, and locations in the code.

However, GitHub doesnotsupport modifying the severity of alerts via API — severity is defined by the scanning tool (e.g., CodeQL). Likewise, alertscannot be deletedvia the API; they are resolved by fixing the code or dismissing them manually.

When defining a custom pattern for secret scanning, two key fields are required:

Name of the pattern: A unique label to identify the pattern

Secret format: A regular expression that defines what the secret looks like (e.g., token format)

You can optionally specifyadditional match requirements(like required context keywords), but they’re not mandatory. Listing repositories is also not part of the required fields during pattern creation.

Secret validationchecks whether a secret found in your repository is still valid and active with the issuing provider (e.g., AWS, GitHub, Stripe). If a secret is confirmed to be active, the alert ismarked as verified, which means it's considered ahigh-priority issuebecause it presents an immediate security risk.

This helps teams respond faster tovalid, exploitablesecrets rather than wasting time on expired or fake tokens.

The best way toprioritizesecret scanning alerts is tofilter by active secrets— these are secrets GitHub has confirmed are still valid and could be exploited. This allows security teams to focus on high-risk exposures that require immediate attention.

Sorting by time or filtering by custom patterns won’t help with risk prioritization directly.

You shoulddismissa code scanning alert if the flagged code isnot a true security concern, such as:

Code in test files

Code paths that are unreachable or safe by design

False positives from the scanner

Fixing the code would automaticallyresolvethe alert — not dismiss it. Dismissing is for valid exceptions or noise reduction.

A Dependabot alert is marked asresolvedonly after the relatedpull request is mergedinto the repository. This indicates that the vulnerable dependency has been officially replaced with a secure version in the active codebase.

Simply generating a PR or passing checks does not change the alert status; merging is the key step.